diff options
| author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2021-11-30 17:35:45 -0600 |
|---|---|---|
| committer | Ghanshyam <gmann@ghanshyammann.com> | 2022-02-17 05:20:07 +0000 |
| commit | 60c9e3edadb3497043d20361ff665ed72241301e (patch) | |
| tree | 4a34746fdceaefc1ef401ecd1d30e61b6a7b2401 /nova/policies | |
| parent | ed1a854c90620716050845c5ff0031d85c1ef81c (diff) | |
| download | nova-60c9e3edadb3497043d20361ff665ed72241301e.tar.gz | |
Convert SYSTEM_ADMIN|READER to Admin and system scope
As per the new direction, we will move all the
system level policies to system admin even GET
policies. system reader will be added in next phase
in future cycle.
To dissociate the scope checks form the new defaults,
check_str is added as 'admin' rule (role:admin) without
'system:all'. So that policy with that admin rule and
scope_type as 'system' works like:
- with enforce_scope=false, legacy or project admin still able to
access the system level APIs.
- with enforce_scope=True, only system user with admin role can
access the system level APIs.
Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I344276d2ab054311a4b6c34c6998e116e7507246
Diffstat (limited to 'nova/policies')
| -rw-r--r-- | nova/policies/aggregates.py | 18 | ||||
| -rw-r--r-- | nova/policies/availability_zone.py | 2 | ||||
| -rw-r--r-- | nova/policies/baremetal_nodes.py | 4 | ||||
| -rw-r--r-- | nova/policies/hosts.py | 12 | ||||
| -rw-r--r-- | nova/policies/hypervisors.py | 14 | ||||
| -rw-r--r-- | nova/policies/quota_class_sets.py | 4 | ||||
| -rw-r--r-- | nova/policies/services.py | 6 |
7 files changed, 30 insertions, 30 deletions
diff --git a/nova/policies/aggregates.py b/nova/policies/aggregates.py index ea629a5db1..73597f73eb 100644 --- a/nova/policies/aggregates.py +++ b/nova/policies/aggregates.py @@ -25,7 +25,7 @@ NEW_POLICY_ROOT = 'compute:aggregates:%s' aggregates_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'set_metadata', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Create or replace metadata for an aggregate", operations=[ { @@ -36,7 +36,7 @@ aggregates_policies = [ scope_types=['system']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'add_host', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Add a host to an aggregate", operations=[ { @@ -47,7 +47,7 @@ aggregates_policies = [ scope_types=['system']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Create an aggregate", operations=[ { @@ -58,7 +58,7 @@ aggregates_policies = [ scope_types=['system']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'remove_host', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Remove a host from an aggregate", operations=[ { @@ -69,7 +69,7 @@ aggregates_policies = [ scope_types=['system']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Update name and/or availability zone for an aggregate", operations=[ { @@ -80,7 +80,7 @@ aggregates_policies = [ scope_types=['system']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="List all aggregates", operations=[ { @@ -91,7 +91,7 @@ aggregates_policies = [ scope_types=['system']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Delete an aggregate", operations=[ { @@ -102,7 +102,7 @@ aggregates_policies = [ scope_types=['system']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="Show details for an aggregate", operations=[ { @@ -113,7 +113,7 @@ aggregates_policies = [ scope_types=['system']), policy.DocumentedRuleDefault( name=NEW_POLICY_ROOT % 'images', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Request image caching for an aggregate", operations=[ { diff --git a/nova/policies/availability_zone.py b/nova/policies/availability_zone.py index 3b592674ac..de78dd864d 100644 --- a/nova/policies/availability_zone.py +++ b/nova/policies/availability_zone.py @@ -36,7 +36,7 @@ availability_zone_policies = [ scope_types=['system', 'project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'detail', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="List detailed availability zone information with host " "information", operations=[ diff --git a/nova/policies/baremetal_nodes.py b/nova/policies/baremetal_nodes.py index 191d9db650..fdce0372b4 100644 --- a/nova/policies/baremetal_nodes.py +++ b/nova/policies/baremetal_nodes.py @@ -38,7 +38,7 @@ DEPRECATED_BAREMETAL_POLICY = policy.DeprecatedRule( baremetal_nodes_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="""List and show details of bare metal nodes. These APIs are proxy calls to the Ironic service and are deprecated. @@ -53,7 +53,7 @@ These APIs are proxy calls to the Ironic service and are deprecated. deprecated_rule=DEPRECATED_BAREMETAL_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="""Show action details for a server.""", operations=[ { diff --git a/nova/policies/hosts.py b/nova/policies/hosts.py index 64c36845bf..1505f225ba 100644 --- a/nova/policies/hosts.py +++ b/nova/policies/hosts.py @@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( hosts_policies = [ policy.DocumentedRuleDefault( name=POLICY_NAME % 'list', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="""List physical hosts. This API is deprecated in favor of os-hypervisors and os-services.""", @@ -52,7 +52,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'show', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="""Show physical host. This API is deprecated in favor of os-hypervisors and os-services.""", @@ -66,7 +66,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="""Update physical host. This API is deprecated in favor of os-hypervisors and os-services.""", @@ -80,7 +80,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'reboot', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="""Reboot physical host. This API is deprecated in favor of os-hypervisors and os-services.""", @@ -94,7 +94,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'shutdown', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="""Shutdown physical host. This API is deprecated in favor of os-hypervisors and os-services.""", @@ -108,7 +108,7 @@ This API is deprecated in favor of os-hypervisors and os-services.""", deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'start', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="""Start physical host. This API is deprecated in favor of os-hypervisors and os-services.""", diff --git a/nova/policies/hypervisors.py b/nova/policies/hypervisors.py index 02a179cb34..92bb12e90f 100644 --- a/nova/policies/hypervisors.py +++ b/nova/policies/hypervisors.py @@ -37,7 +37,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( hypervisors_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="List all hypervisors.", operations=[ { @@ -49,7 +49,7 @@ hypervisors_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list-detail', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="List all hypervisors with details", operations=[ { @@ -61,7 +61,7 @@ hypervisors_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'statistics', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="Show summary statistics for all hypervisors " "over all compute nodes.", operations=[ @@ -74,7 +74,7 @@ hypervisors_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="Show details for a hypervisor.", operations=[ { @@ -86,7 +86,7 @@ hypervisors_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'uptime', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="Show the uptime of a hypervisor.", operations=[ { @@ -98,7 +98,7 @@ hypervisors_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'search', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="Search hypervisor by hypervisor_hostname pattern.", operations=[ { @@ -110,7 +110,7 @@ hypervisors_policies = [ deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'servers', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="List all servers on hypervisors that can match " "the provided hypervisor_hostname pattern.", operations=[ diff --git a/nova/policies/quota_class_sets.py b/nova/policies/quota_class_sets.py index 5a41a79bec..e9d22d2f68 100644 --- a/nova/policies/quota_class_sets.py +++ b/nova/policies/quota_class_sets.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-class-sets:%s' quota_class_sets_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="List quotas for specific quota classs", operations=[ { @@ -35,7 +35,7 @@ quota_class_sets_policies = [ scope_types=['system']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description='Update quotas for specific quota class', operations=[ { diff --git a/nova/policies/services.py b/nova/policies/services.py index bd4e455a95..8174bf92df 100644 --- a/nova/policies/services.py +++ b/nova/policies/services.py @@ -37,7 +37,7 @@ DEPRECATED_SERVICE_POLICY = policy.DeprecatedRule( services_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list', - check_str=base.SYSTEM_READER, + check_str=base.ADMIN, description="List all running Compute services in a region.", operations=[ { @@ -49,7 +49,7 @@ services_policies = [ deprecated_rule=DEPRECATED_SERVICE_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Update a Compute service.", operations=[ { @@ -62,7 +62,7 @@ services_policies = [ deprecated_rule=DEPRECATED_SERVICE_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Delete a Compute service.", operations=[ { |